TurboTax, the most popular online tax preparation software, halted state e-filing from February 5 to February 6 due to an increase in suspicious activity. The service was suspended because stolen account credentials were used to file fake state tax returns. Scammers have been masquerading as TurboTax in an attempt to phish account credentials of TurboTax users.
TurboTax Identity Service
Figure 1. Fake ‘TurboTax Identity Service’ email
The email contains an “attached form,” an HTML attachment that borrows source code and elements from the real TurboTax website. Last month, we noticed a LinkedIn phishing scam using this exact tactic.
Figure 2. Fake TurboTax page
When reviewing the attachment, we noticed that parts of the page, such as the header and footer sections, did not render correctly. However, the body of the HTML file is stylistically identical to the real TurboTax website.
When a user logs into a website, the only two pieces of information that they typically need to provide are their user ID and password. In this case, the scammers have added additional fields for the recipients’ email address and email password, as well as their security question and answer.
If the recipient were to submit this information in order to sign in, all of it would be sent off to the scammers.
Figure 3: Source code of TurboTax.htm file
The scammers would now possess the victim’s TurboTax and email login credentials and would know their security question and answer. With all of this information, the attacker could login to the victim’s TurboTax account, email account, and potentially lock the recipient out of both.
Tips when filing your taxes online
Filing your taxes online is intended to be convenient. Unfortunately, scammers know that many users prefer to file online and will experiment with ways to steal login credentials to services like TurboTax.
When preparing to file your taxes, keep the following tips in mind:
- Be skeptical of unexpected and unprompted email communications. If you didn’t ask for it, then it is likely a scam.
- Never download and open attachments claiming to be a “secure” way to login and verify your identity. This method is intended to bypass anti-phishing features in most modern browsers.
- When in doubt, don’t click on a link in an email. Instead, open up a new browser window or tab and login directly.
Symantec reached out to Intuit for comment and they requested that suspicious emails using the TurboTax brand be sent to the following email address: